2020.06.27 15:06:38 (1276864517390036993) from Daniel J. Bernstein, replying to "Frank ⚡ (@jedisct1)" (1270337966746087430):
Page 31 of https://cr.yp.to/talks/2005.09.20/slides.pdf mentioned that setting high bit "avoids infinity and avoids timing attacks". This was six years before https://eprint.iacr.org/2011/232.pdf extracted keys from exactly this timing leak in OpenSSL. See also https://cr.yp.to/talks.html#2014.07.23 and https://mailarchive.ietf.org/arch/msg/cfrg/pt2bt3fGQbNF8qdEcorp-rJSJrc/.
2020.06.27 15:28:02 (1276869902813421569) from Daniel J. Bernstein:
The high bit is an example of a much broader success story: many security failures in cryptographic implementations can be predicted by cryptographic designers and proactively avoided through changes in designs. See, e.g., https://cr.yp.to/talks.html#2015.01.07 and https://blog.cr.yp.to/20191024-eddsa.html.
2020.06.09 14:28:19 (1270331893020491777) from "Steve (@Sc00bzT)", replying to "Steve (@Sc00bzT)" (1270331532490747904):
It breaks when: (3*(q-2**252)-1)/2 ≤ x*y % q ≤ q - (3*(q-2**252)-1)/2 Where 2**251 ≤ x < 2**252 2**251 ≤ y < 2**252 and s1 = 8*x s2 = 8*y
2020.06.09 14:30:40 (1270332482555187200) from "Steve (@Sc00bzT)", replying to "Steve (@Sc00bzT)" (1270331893020491777):
To generate ones that don't work: s1 = random() s2 = invert(clamp(s1) >> 3, q) << 3 if s2 != clamp(s2) s2 = 8*q - s2 if s2 != clamp(s2) retry // very rare
2020.06.09 14:35:38 (1270333735897108482) from "Steve (@Sc00bzT)", replying to "Steve (@Sc00bzT)" (1270332482555187200):
The method tries (-s1*s2) (mod q) if (s1*s2) (mod q) fails because: X25519_noclamp(x, P) == X25519_noclamp(q - x % q, P) P.S. Clamping also prevents "clamp(x) == 0 (mod q)".
2020.06.09 14:52:27 (1270337966746087430) from "Frank ⚡ (@jedisct1)", replying to "Steve (@Sc00bzT)" (1270333735897108482):
Requiring the high bit to be set was a terrible decision. It never protected any specialized implementation, yet is utterly confusing and breaks associativity. And clamping was also applied to EdDSA for no good reasons.